Operations Manager 2007 R2 Cross Platform ACS Release Notes
適用於: System Center Configuration Manager 2007 R2
Last Updated: 1/4/2010
These release notes are for System Center Operations Manager 2007 R2 Cross Platform Audit Collection Services (ACS). Read these release notes thoroughly before you install Operations Manager 2007 R2 Cross Platform ACS.
Benefits of Operations Manager 2007 R2 Cross Platform ACS
Operations Manager 2007 R2 Cross Platform ACS provides the following benefits:
Delivers an ACS Windows-equivalent infrastructure solution by leveraging cross-platform infrastructure on Linux-based computers.
Enables partner solutions for auditing applications, network devices, and deeper operating system events.
Enables a singular view of the enterprise by aggregating audit events from UNIX-based and Linux-based computers along with Windows-based computers.
Ensures the confidentiality, integrity, and availability of the audited data.
Provides out-of-the-box reporting.
System Prerequisites
Cross Platform ACS requires 32- or 64-bit Operations Manager 2007 R2 with ACS Collector installed and enabled on a computer in the management group and Audit Forwarding Service installed and enabled on the Cross Platform ACS management server.
The following 32- and 64-bit Windows Server versions are supported in this release:
Windows Server 2003 with Service Pack 1 and later, any edition
Windows Server 2008, any edition
The following 32- and 64-bit operating systems are supported in this release:
Red Hat Enterprise Linux Server 4 and 5
Novell SUSE Linux Enterprise Server 9, 10.1, and 11
注意
By default, Cross Platform ACS is disabled. To collect audit events, Cross Platform ACS must be enabled by creating an override to the default setting. For more information about how to create an override, see Deploy Audit Collection Services (ACS) for Cross Platform Operating Systemsin the document Audit Collection Services (ACS) Support for Cross Platform Operating Systems (https://go.microsoft.com/fwlink/?LinkId=180645).
Best Practices
Custom Management Pack
By default, Operations Manager 2007 R2 saves all customizations to the default management pack. It is best practice not to write any custom overrides to the default management pack. We recommend that you create a new custom management pack for this purpose.
You can use a custom management pack to simplify the move from test and preproduction environments to the production environment. For more information about how to create a custom management pack, see Create a New Management Pack for Customizations (https://go.microsoft.com/fwlink/?LinkID=152033).
Known Issues for This Release
Operations Manager ACS Reports Must Be Installed Before You Install Cross Platform ACS Reports
Problem: You receive error messages if you install the Cross Platform ACS Reports when Operations Manager 2007 R2 ACS Reports are not installed.
Workaround: Install Operations Manager 2007 R2 ACS Reports before you install the Cross Platform ACS Reports. If you receive error messages during the installation of Operations Manager 2007 R2 ACS Reports, remove all Cross Platform ACS Report files from the server, and then install Operations Manager 2007 R2 ACS Reports. For more information about installing Operations Manager 2007 R2 ACS Reports, see Deploying Operations Manager 2007 ACS Reporting (https://go.microsoft.com/fwlink/?Linkid=155930).
Unable to Filter the Windows Security Event Log for Cross Platform ACS Audit Events on Windows Server 2003
Problem: You are unable to limit the event filter to only show ACS audit events on Windows Server 2003. In the Filter dialog box for Security events, when you select the Event source to be CrossPlatformSecurity, no Cross Platform ACS audit events appear.
Workaround:
To view all audit events on a computer running Windows Server 2003
In the Event Viewer console, in the navigation pane, select the Security log file.
Click View, and then click Filter.
In the Security Property dialog box, make sure the Event Source is set to All.
In Event Types, select only the Success audit and Failure audit check boxes.
Click OK.
All audit events will appear.
Some SU Events Do Not Appear in the Audit Log for SUSE Linux Enterprise Server Version 9
Problem: For computers running SUSE Linux Enterprise Server version 9, some su events do not appear in audit event logs.
Workaround: To log all su events on a computer running SUSE Linux Enterprise Server version 9, make sure that version SLES 9 SP4 is installed on the target computer.
Login Attempt Events Do Not Appear in the Audit Log for HP-UX Computers
Problem: For computers running the HP-UX platform, login attempt audit events do not appear in audit event logs.
Workaround: HP-UX computers do not log login attempts to the syslog file; therefore, no login attempt audit events are logged for Cross Platform ACS.
Default Solaris Computer Configuration Does Not Log Required Audit Events
Problem: For Solaris computers, required audit activity is not logged.
Workaround: For Solaris computers, logging configuration is controlled by the configuration files at /etc/syslog.conf. Perform the following steps to enable correct logging:
To enable event logging on a Solaris computer
Add the following code to the existing configuration file found at /etc/syslog.conf:
# Log basic authentication (su, etc) to /var/log/authlog for ACS auth.info;local2.info /var/log/authlog注意
Use the TAB key to separate log components from log file names. Spaces do not work.
For example, use the syslog.conf file for a Solaris computer. The modified portions of the file are indicated for clarity.
#ident "@(#)syslog.conf 1.5 98/12/14 SMI" /* SunOS 5.0 */ # Copyright (c) 1991-1998 by Sun Microsystems, Inc. # All rights reserved. # syslog configuration file. # This file is processed by m4 so be careful to quote (`') names # that match m4 reserved words. Also, within ifdef's, arguments # containing commas must be quoted. *.err;kern.notice;auth.notice /dev/sysmsg *.err;kern.debug;daemon.notice;mail.crit /var/adm/messages # Log basic authentication (su, etc) to /var/log/authlog for ACS auth.info;local2.info /var/log/authlog *.alert;kern.err;daemon.err operator *.alert root *.emerg * # if a non-loghost machine chooses to have authentication messages # sent to the loghost machine, un-comment out the following line: #auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost) mail.debug ifdef(`LOGHOST', /var/log/syslog, @loghost) # non-loghost machines will use the following lines to cause \"user\" # log messages to be logged locally. ifdef(`LOGHOST', , user.err /dev/sysmsg user.err /var/adm/messages user.alert `root, operator' user.emerg *)Restart the syslog daemon.
On Solaris 5.8 and 5.9, at a command prompt, enter /etc/init.d/syslog stop, followed by /etc/init.d/syslog start.
On Solaris 5.10, at a command prompt, enter svcadm refresh svc:/system/system-log.
You will now need to enable the appropriate Cross Platform ACS Solaris management pack rules as described in the topic How to Enable ACS Rules (https://go.microsoft.com/fwlink/?LinkId=180644) found in the document Audit Collection Services (ACS) Support for Cross Platform Operating Systems (https://go.microsoft.com/fwlink/?LinkId=180645).
Default AIX Computer Configuration Does Not Log Audit Events
Problem: For AIX computers, required audit activity is not logged.
Workaround: By default, AIX computers do not log audit events. The logging configuration is controlled by the files located at /etc/syslog.conf. Perform the following steps to enable logging of all event messages at the debug level or higher.
To enable event logging on an AIX computer
Using an appropriate editor, modify the /etc/syslog.conf file to contain the following line:
*.info /var/log/syslog.log rotate size 1m files 10where /var/log/syslog.log is the location and name of the syslog file. The syslog file is rotated when it becomes larger than 1 megabyte (MB) and the number of rotated files is limited to 10.
注意
Use the TAB key to separate priority, destination, and rotation parameters. Spaces do not work.
At a command prompt, to refresh the computer’s configuration, enter # refresh -s syslogd.
You will now need to enable the appropriate Cross Platform ACS AIX management pack rules as described in the topic How to Enable ACS Rules (https://go.microsoft.com/fwlink/?LinkId=180644) found in the document Audit Collection Services (ACS) Support for Cross Platform Operating Systems (https://go.microsoft.com/fwlink/?LinkId=180645).
You receive the error "parse error in /etc/sudoers near line -1" When Running AIX Sudo
Problem: When using the default sudo package on a system without LDAP, you receive an error "parse error in /etc/sudoers near line -1" when the user or the user's group is not listed in /etc/sudoers.
Workaround: The expected behavior is a message to the console and the syslog that the user is not listed in the sudoers file. IBM provides two sudo packages for AIX at AIX Toolbox for Linux Applications (https://go.microsoft.com/fwlink/?LinkId=179320). Install sudo-1.6.9p15-2noldap.aix5.2.ppc.rpm to correct the problem.
All_Events_For_Specified_Computer Report Does Not Support FDQN
Problem: No results are returned when specifying a FQDN for a computer name in the All_Events_For_Specified_Computer report.
Workaround: In the All_Events_For_Specified_Computer report, enter the host name to return all relevant records from the ACS database.
Performance When Generating Reports Degraded with Large Audit Datasets
Problem: Report system performance is degraded with audit datasets exceeding 10,000 records.
Workaround: Reports for datasets larger than 10,000 records requires more computing resources.
Online Operations Manager 2007 ACS Resources
Managing Audit Collection Services in Operations Manager 2007 (https://go.microsoft.com/fwlink/?Linkid=144374)
ACS Capacity Planning (https://go.microsoft.com/fwlink/?Linkid=169305)
Audit Collection Services (ACS) Security in Operations Manager 2007 (https://go.microsoft.com/fwlink/?LinkId=169307)
ACS Administration--AdtAdmin.exe (https://go.microsoft.com/fwlink/?Linkid=169306)
Managing Reporting in Operations Manager 2007 (https://go.microsoft.com/fwlink/?Linkid=131058)
Monitoring ACS Performance (https://go.microsoft.com/fwlink/?Linkid=97906).
Copyright
This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.
© 2010 Microsoft. All rights reserved.
Microsoft and Windows are trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.